Sparse pseudorandom distributions

The existence of sparse pseudorandom distributions is proved. These are probability distributions concentrated in a very small set of strings, yet it is infeasible for any polynomial-time algorithm to distinguish between truly random coins and coins selected according to these distributions. It is shown that such distributions can be generated by (nonpolynomial) probabilistic algorithms, while probabilistic polynomial-time algorithms cannot even approximate all the pseudorandom distributions. Moreover, we show the existence of evasive pseudorandom distributions which are not only sparse, but also have the property that no polynomial-time algorithm may find an element in their support, except for a negligible probability. All these results are proved independently of any intractability assumption.     

Simple Constructions of Almost k-wise Independent Random Variables

We present three alternative simple constructions of small probability spaces on n bits for which any k bits are almost independent. The number of bits used to specify a point in the sample space is (2 + o(1)) (log log n + k/2 + log k + log 1/?), where ? is the statistical difference between the distribution induced on any k bit locations and the uniform distribution. This is asymptotically comparable to the construction recently presented by Naor and Naor (our size bound is better as long as ? < 1/(k log n)). An additional advantage of our constructions is their simplicity.     

A fair protocol for signing contracts

Two parties, A and B, want to sign a contract C over a communication network. To do so, they must simultaneously exchange their commitments to C. Since simultaneous exchange is usually impossible in practice, protocols are needed to approximate simultaneity by exchanging partial commitments in piece-by-piece manner. During such a protocol, one party or another may have a slight advantage; a fair protocol keeps this advantage within acceptable limits. A new protocol is proposed. It is fair in the sense that, at any stage in its execution, the conditional probability that one party cannot commit both parties to the contract given that the other party can, is close to zero. This is true even if A and B have vastly different computing powers and is proved under very weak cryptographic assumptions     

A uniform-complexity treatment of encryption and zero-knowledge

We provide a treatment of encryption and zero-knowledge in terms of uniform complexity measures. This treatment is appropriate for cryptographic settings modeled by probabilistic polynomial-time machines. Our uniform treatment allows the construction of secure encryption schemes and zero-knowledge proof systems (for allNP) using only uniform complexity assumptions. We show that uniform variants of the two definitions of security, presented in the pioneering work of Goldwasser and Micali, are in fact equivalent. Such a result was known before only for nonuniform formalization. Nonuniformity is implicit in all previous treatments of zero-knowledge in the sense that a zero-knowledge proof is required to “leak no knowledge” onall instances. For practical purposes, it suffices to require that it isinfeasible to find instances on which a zero-knowledge proof “leaks knowledge.” We show how to construct such zero-knowledge proof systems for every language inNP, using only a uniform complexity assumption. Properties of uniformly zero-knowledge proofs are investigated and their utility is demonstrated. This research was partially supported by the Fund for Basic Research Administered by the Israeli Academy of Sciences and Humanities. Revision of this work was supported by Grant No. 89-00312 from the United States-Israel Binational Science Foundation (BSF), Jerusalem, Israel.     

A perfect zero-knowledge proof system for a problem equivalent to the discrete logarithm

An interactive proof system is calledperfect zero-knowledge if the probability distribution generated by any probabilistic polynomial-time verifier interacting with the prover on input theoremϕ, can be generated by another probabilistic polynomial-time machine which only getsϕ as input (and interacts with nobody!). In this paper we present aperfect zero-knowledge proof system for a decision problem which is computationally equivalent to the Discrete Logarithm Problem. Doing so we provide additional evidence to the belief thatperfect zero-knowledge proof systems exist in a nontrivial manner (i.e., for languages not inBPP). Our results extend to the logarithm problem in any finite Abelian group. This research was partially supported by the Fund for Basic Research Administered by the Israeli Academy of Sciences and Humanities. An early version of this paper appeared inAdvances in Cryptology —Crypto 88 (Proceedings), S. Goldwasser (ed.), pp. 57–70, Lecture Notes in Computer Science, vol. 403, Springer-Verlag, Berlin, 1990.     

Tiny families of functions with random properties: A quality-size trade-off for hashing

We present three explicit constructions of hash functions, which exhibit a trade-off between the size of the family (and hence the number of random bits needed to generate a member of the family), and the quality (or error parameter) of the pseudorandom property it achieves. Unlike previous constructions, most notably universal hashing, the size of our families is essentially independent of the size of the domain on which the functions operate. The first construction is for the mixing property—mapping a proportional part of any subset of the domain to any other subset. The other two are for the extraction property—mapping any subset of the domain almost uniformly into a range smaller than it. The second and third constructions handle, respectively, the extreme situations when the range is very large or very small. We provide lower bounds showing that our constructions are nearly optimal, and mention some applications of the new constructions. © 1997 John Wiley & Sons, Inc. Random Struct. Alg., 11 , 315–343 (1997)     

Efficient approximation of product distributions

We describe efficient constructions of small probability spaces that approximate the joint distribution of general random variables. Previous work on efficient constructions concentrate on approximations of the joint distribution for the special case of identical, uniformly distributed random variables. © 1998 John Wiley & Sons, Inc. Random Struct. Alg., 13: 1–16, 1998     

Testing Monotonicity

at arguments of its choice, the test always accepts a monotone f, and rejects f with high probability if it is ε-far from being monotone (i.e., every monotone function differs from f on more than an ε fraction of the domain). The complexity of the test is O(n/ε). The analysis of our algorithm relates two natural combinatorial quantities that can be measured with respect to a Boolean function; one being global to the function and the other being local to it. A key ingredient is the use of a switching (or sorting) operator on functions. Received March 29, 1999